Hackers break into hotel wi-fi to attack travelling execs

Executives travelling through Asia on business are being warned to stay alert when using hotel wi-fi after hackers were discovered infiltrating the systems to gain access to sensitive corporate data.

The attackers - which have been dubbed 'Darkhotel' by Kaspersky, the authors of the research - target CEOs and other executives staying in ritzy hotels for business through often insecure wi-fi networks.

After gaining control over the network, the group offers specific targets fake updates - usually in the form of an Adobe Flash, Windows Messenger or Google Toolbar update - within embedded iframes located inside a hotel's login portal.

The backdoor, once downloaded, then infects the user's device with password-harvesting software and a key logger in an effort to capture sensitive and confidential business data.

Once the attackers have obtained their required data, they delete their tools from the hotel network so as to evade capture.

According to Kaspersky, the group often targets specific individuals, and knew a target's room number, length of stay and name prior to the guest's arrival in the hotel.

The group has the "operational competence to compromise, mis-use, and maintain access to global scale, trusted commercial network resources with strategic precision for years", alongside "advanced mathematical and crypto-analytical offensive capabilities" sufficient to abuse trusted commercial networks, the report [pdf] stated.

The security firm estimated that thousands of people - including top execs from Asia and the US - had been affected, predominantly those travelling in Japan, as well as in Taiwan, China and other countries, in a campaign of attacks it said had been around since at least 2007.

The firm was unable to pinpoint who was behind the attacks, but said the malware had Korean language in its code.

The Darkhotel malware is also spread through Japanese peer-to-peer file sharing sites, as well as other P2P networks like BitTorrent. The campaign also targets defense and NGO organisations through spear phishing attacks.

The discovery of the campaign comes as Australia prepares to host the G20 heads of government meeting in Brisbane over the weekend.

The Australian Signals Directorate last week issued an advisory [pdf] warning of the heightened IT security risks associated with such an event.

The agency advised delegates to avoid using hotel or conference facility networks to communicate official or sensitive information on devices not connected to a secure network.

“Where possible, try to avoid using hotel internet kiosks and internet cafes to send or receive important data. Do not connect to open wi-fi networks for business purposes. Only wireless communications that are needed and can be secured should be enabled," the ASD said.